Web Application Security Working Group - Publications
Recommendations
- Deliverers
- Web Application Security Working Group
This document defines a policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced.
- Deliverers
- Web Application Security Working Group
This document defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
Candidate Recommendation Snapshots
- Deliverers
- Web Application Security Working Group
This document describes how an author can set a referrer policy for documents they create, and the impact of such a policy on the referer HTTP header for outgoing requests and navigations.
- Deliverers
- Web Application Security Working Group
This document defines a mechanism which allows authors to instruct a user agent to upgrade a priori insecure resource requests to secure transport before fetching them.
Candidate Recommendation Drafts
- Deliverers
- Web Application Security Working Group
This specification provides guidelines for user agent implementors and spec authors for implementing features whose properties dictate that they be exposed to the web only within a trustworthy environment.
- Deliverers
- Web Application Security Working Group
This specification describes how and why user agents disallow rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.
Working Drafts
- Deliverers
- Web Application Security Working Group
This document defines a mechanism by which web developers can control the resources which a particular page can fetch or execute, as well as a number of security-relevant policy decisions.
- Deliverers
- Web Application Security Working Group
The Permissions API allows a web application to be aware of the status of a given permission, to know whether it is granted, denied or if the user will be asked whether the permission should be granted.
- Deliverers
- Web Application Security Working Group
This specification describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.
- Deliverers
- Web Application Security Working Group
This specification defines a mechanism that allows developers to selectively enable and disable use of various browser features and APIs.
- Deliverers
- Web Application Security Working Group
This document defines a set of Fetch metadata request headers that aim to provide servers with enough information to make a priori decisions about whether or not to service a request based on the way it was made, and the context in which it will be used.
- Deliverers
- Web Application Security Working Group
This document defines an imperative mechanism which allows web developers to instruct a user agent to clear a user’s locally stored data related to a host and its subdomains.
- Deliverers
- Web Application Security Working Group
This document defines a mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself.
- Deliverers
- Web Application Security Working Group
This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered.
First Public Working Drafts
- Deliverers
- Web Application Security Working Group
This specification defines a well-known URL that sites can use to make their change password forms discoverable by tools. This simple affordance provides a way for software to help the user find the way to change their password.
- Deliverers
- Web Application Security Working Group
An API that allows applications to lock down powerful APIs to only accept non-spoofable, typed values in place of strings to prevent vulnerabilities caused by using these APIs with attacker-controlled inputs.
- Deliverers
- Web Application Security Working Group
Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.
- Deliverers
- Web Application Security Working Group
This specification defines an API for specifying privacy and integrity policies on data, in the form of origin labels, and a mechanism for confining code according to such policies. This allows Web application authors and server operators to shared data with untrusted - buggy but not malicious - code (e.g., in a mashup scenario) yet impose restrictions on how the code can share the data further.